Hacker News new | ask | show | jobs
by idlewords 2532 days ago
This is a silly and absolutist position to take on HTTP. Everything depends on context, and in many cases it is far better to serve things over open HTTP than go offline.
2 comments
txcwpalpha 2532 days ago
If you had reason to previously set up your site with HTTPS, you should never fallback to serving anything other than static assets (and even then, you better have a damn good reason) over HTTP from that same domain. Period.

Sorry, but sometimes security is absolute.

link
eropple 2532 days ago
In what situation that you can conjure up is being forcibly reduced to HTTP distinguishable from being down?

Like, how does it happen, ever?

And what happens to your users' credentials if you do?

link
_b8r0 2532 days ago
When you have publicly accessible resources that must be available to all, but you can't guarantee that the accessing systems are configured correctly to use HTTPS.

There are plenty of scenarios in which this happens online:

* Legacy systems (e.g. Aminet)

* Software distribution (e.g. apt mirrors)

* Anything involving FTP where a HTTP mirror would be useful (e.g. overcoming FW restrictions)

* Anything where permissionless access is a requirement (HTTPS is a permissioned system)

link